Back to turvy_fuzz's contests

Venus Prime - turvy_fuzz's results

Earn, borrow & lend on the #1 Decentralized Money Market on the BNB chain.

General Information

Platform: Code4rena

Start Date: 28/09/2023

Pot Size: $36,500 USDC

Total HM: 5

Participants: 115

Period: 6 days

Judge: 0xDjango

Total Solo HM: 1

Id: 290

League: ETH

Venus Protocol

Findings Distribution

Researcher Performance

Rank: 30/115

Findings: 1

Award: $198.48

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryVenus Protocol

Findings Information

🌟 Selected for report: 0xDetermination

Also found by: DeFiHackLabs, Norah, Pessimistic, PwnStars, SpicyMeatball, Testerbot, ThreeSigma, bin2chen, blutorque, deadrxsezzz, dirk_y, ether_sky, hals, neumo, rokinot, said, seerether, turvy_fuzz

Awards

198.4834 USDC - $198.48

Labels

bug
3 (High Risk)
satisfactory
duplicate-555

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-09-venus/blob/main/contracts/Tokens/Prime/Prime.sol#L221

Vulnerability details

Impact

Update score breaks and reverts due to underflow caused by pendingScoreUpdates variable.

Proof of Concept

updateScores():

function updateScores(address[] memory users) external {
        if (pendingScoreUpdates == 0) revert NoScoreUpdatesRequired();
        if (nextScoreUpdateRoundId == 0) revert NoScoreUpdatesRequired();

        for (uint256 i = 0; i < users.length; ) {
            address user = users[i];

            if (!tokens[user].exists) revert UserHasNoPrimeToken();
            if (isScoreUpdated[nextScoreUpdateRoundId][user]) continue;

            address[] storage _allMarkets = allMarkets;
            for (uint256 j = 0; j < _allMarkets.length; ) {
                address market = _allMarkets[j];
                _executeBoost(user, market);
                _updateScore(user, market);

                unchecked {
                    j++;
                }
            }

            pendingScoreUpdates--;
            isScoreUpdated[nextScoreUpdateRoundId][user] = true;

            unchecked {
                i++;
            }

            emit UserScoreUpdated(user);
        }
    }

In each iteration, pendingScoreUpdates is decremented:

            pendingScoreUpdates--;

This assumes pendingScoreUpdates is always >= length of users that has PrimeToken else it would always underflow, however this is not true, as it only directly updated in few places e.g in _burn() but not updated when new users are issued prime tokens. Which means pendingScoreUpdates could be lesser when possible number of users that PrimeToken exists for increases.

Tools Used

Manaul Review

Reconsider the pendingScoreUpdates interactions. I suggest direactly updating pendingScoreUpdates in calling issue() and maybe also check if the passed users array length matches the pendingScoreUpdates on the updateScores() function

Assessed type

Under/Overflow

#0 - c4-pre-sort

2023-10-05T00:01:52Z

0xRobocop marked the issue as duplicate of #555

#1 - c4-judge

2023-11-01T02:09:26Z

fatherGoose1 marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter